nyx/SECURITY.md

# Security Policy

## Supported Versions

| Version | Supported | Notes                |
|---------|-----------|----------------------|
| 0.2.x   | ✅        | Latest stable line   |
| 0.1.x   | ✅        | Critical fixes only  |
| < 0.1   | ❌        | End-of-life          |

We follow [Semantic Versioning] as soon as we hit **1.0.0**.  
Before that, breaking changes may land in any minor release.

## Reporting a Vulnerability

* **Private disclosure first.**  
  Please **do not** open public GitHub issues for security bugs.

* **How to report**  
  1. To report a vulnerability, please use the GitHub disclosure in the security tab to alert us to a security issue.

* **What to include**  
  – A minimal PoC or reproduction steps  
  – Affected Nyx version (`nyx --version`) and OS  
  – Impact explanation (e.g. RCE, DoS, data leak)

* **Response timeline**  
  We acknowledge within **3 business days** and give a status update every **7 days** thereafter until resolution.

## Disclosure Process

1. We confirm the issue and assign a CVE (via GitHub or MITRE).  
2. A fix is developed on a private branch and back-ported if needed.  
3. Coordinated release: new version on crates.io + public advisory.  
4. Credit is given to the reporter unless they request anonymity.

## Scope & Severity

This policy covers vulnerabilities that let an **untrusted Nyx input** cause:

* Remote or local code execution in the Nyx process
* Privilege escalation, data exfiltration, or denial of service

**False positives / missed detections** in scan results are *quality issues*, not security issues—please file normal GitHub issues for those.

[Semantic Versioning]: https://semver.org
-												Create SECURITY.md (#25)




											
										
										
											2025-06-28 18:34:22 +02:00
+								# Security Policy
 								## Supported Versions
 								| Version | Supported | Notes                |
 								|---------|-----------|----------------------|
-												Feat/full cfg (#30)

* feat: Enhance control flow analysis with function summaries and taint analysis

* feat: Update taint analysis to utilize function summaries for enhanced tracking

* Refactor `walk.rs` batch processing and override handling:

- Renamed `Batcher` to `BatchSender` for clarity.
- Added `BatchSender::new` constructor for cleaner initialization.
- Simplified batch size management in `BatchSender`.
- Extracted `build_overrides` function for reusable override construction.
- Improved error handling and validation in override building.
- Enhanced performance with directory and file type filtering in `walk`.

* Improve logging and streamline directory walk process:

- Added detailed `tracing` logs for debugging batch flushes, override construction, and walk initialization/completion.
- Optimized and simplified `filter_entry` logic for directory and file type filters.
- Improved metadata checks and max file size enforcement during the scan.

* Refactor and optimize taint tracking, label rules, and directory walk process:

- Replaced `DefaultHasher` with `blake3::Hasher` for improved taint hashing.
- Enhanced sorting and hashing logic in `taint.rs` for consistency and efficiency.
- Removed unused `set_hash` function and redundant imports across files.
- Improved batch sender logic in `walk.rs`, renaming key components for clarity.
- Unified `spawn_senders` and `spawn_file_walker` with thread handling and channel tuple return.
- Expanded label rules with additional matchers for sources, sanitizers, and sinks.
- Deprecated `dump_cfg` and specific logging utilities in `cfg.rs` for code cleanup.

* fix: fixed let chains error in walk.rs

* fix: updated dependencies

* fix: updated dependencies

* chore: Remove standard error in scan.rs

* feat: Introduce function summaries for enhanced taint and control flow analysis

* feat: Enhance taint analysis with interop support and function summaries

* feat: Add configuration analysis module and enhance matcher rules

* feat: Add arity column to function_summaries and handle schema migration

* fix: fixed clippy &PathBuf warnings

* chore: Update dependencies and versioning in Cargo files

* docs: Update README to enhance clarity and detail on features and analysis modes

* chore: Update CHANGELOG for version 0.2.0 with new features, changes, and fixes

* docs: Update SECURITY.md to clarify version support status

---------

Co-authored-by: elipeter <eli.peter@es.fcm.travel>
											
										
										
											2026-02-24 23:44:07 -05:00
+								| 0.2.x   | ✅        | Latest stable line   |
-												Create SECURITY.md (#25)




											
										
										
											2025-06-28 18:34:22 +02:00
+								| 0.1.x   | ✅        | Critical fixes only  |
 								| < 0.1   | ❌        | End-of-life          |
 								We follow [Semantic Versioning] as soon as we hit **1.0.0**.
 								Before that, breaking changes may land in any minor release.
 								## Reporting a Vulnerability
 								* **Private disclosure first.**
 								  Please **do not** open public GitHub issues for security bugs.
 								* **How to report**
 . To report a vulnerability, please use the GitHub disclosure in the security tab to alert us to a security issue.
 								* **What to include**
 								  – A minimal PoC or reproduction steps
 								  – Affected Nyx version (`nyx --version`) and OS
 								  – Impact explanation (e.g. RCE, DoS, data leak)
 								* **Response timeline**
 								  We acknowledge within **3 business days** and give a status update every **7 days** thereafter until resolution.
 								## Disclosure Process
 . We confirm the issue and assign a CVE (via GitHub or MITRE).
 . A fix is developed on a private branch and back-ported if needed.
 . Coordinated release: new version on crates.io + public advisory.
 . Credit is given to the reporter unless they request anonymity.
 								## Scope & Severity
 								This policy covers vulnerabilities that let an **untrusted Nyx input** cause:
 								* Remote or local code execution in the Nyx process
 								* Privilege escalation, data exfiltration, or denial of service
 								**False positives / missed detections** in scan results are *quality issues*, not security issues—please file normal GitHub issues for those.
 								[Semantic Versioning]: https://semver.org